Google flips switch on Chrome's newest defensive technology

Google flips switch on Chrome's newest defensive technology

With 'Site Isolation' in use, the browser should be better protected from Spectra-like attacks designed to steal info such as log-on credentials

Google has switched on a defensive technology in Chrome that will make it much more difficult for Spectra-like attacks to steal information such as log-on credentials.

Called "Site Isolation," the new security technology has a decade-long history. But most recently it's been cited as a shield to guard against threats posed by Spectre, the processor vulnerability sniffed out by Google's own engineers more than year ago.

Google unveiled Site Isolation in late 2017 within Chrome 63, making it an option for enterprise IT staff members, who could customise the defence to shield workers from threats harboured on external sites.

Company administrators could use Windows GPOs - Group Policy Objects - as well as command-line flags prior to wider deployment via group policies.

Later, in Chrome 66, which launched in April, Google opened the field testing to general users, who could enable Site Isolation.

Google made clear that Site Isolation would eventually be made the default in the browser, but the firm first wanted to validate the fixes addressing issues that cropped up earlier testing. Users were able to decline to participate in the trial by changing one of the settings in the options page.

Now, Google has switched on Site Isolation for the vast majority of Chrome users - 99 per cent of them by the search giant's account.

"Many known issues have been resolved since (Chrome 63), making it practical to enable by default for all desktop Chrome users," Charlie Reis, a Google software engineer, wrote in a post to a company blog.

Site Isolation, Reis explained, "Is a large change to Chrome's architecture that limits each renderer process to documents from a single site." With Site Isolation enabled, attackers will be prevented from sharing their content in a Chrome process assigned to a website's content.

"When Site Isolation is enabled, each renderer process contains documents from, at most, one site," Reis continued. "This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using 'out-of-process iframes.'"

That, Reis added, was a major change to how Chrome works, and one that engineers had been pursuing for several years, long before Spectre was uncovered.

Reis' PhD dissertation of almost decade ago was on the subject, and the Chrome team has been working on it for six years.

"This is an extremely impressive achievement," tweeted Eric Lawrence, a former senior software engineer at Google but now a principal program manager at rival Microsoft.

"Google invested many engineer-years in a feature that initially seemed hopelessly out of whack from cost/benefit POV [point-of-view]. And then, suddenly, it wasn't just a nice-to-have DiD [defence-in-depth], but instead an essential defence against a class of attack."

Others chimed in as well.

"The current version defends only against data leakage attacks (e.g. Spectre), but work is under way to protect against attacks from compromised renderers," tweeted Justin Schuh, principle engineer and director on Chrome security.

"We also haven't shipped to Android yet, as we're still working on resource consumption issues."

Resource consumption may not be a Google-mandated "issue" with Site Isolation, but there are trade-offs when using the technology, the company acknowledged.

"There is about a 10-13 per cent total memory overhead in real workloads due to the larger number of processes," Reis said, then added that engineers are continuing to work on reducing that memory hit.

At least the additional memory load estimate is smaller than before. Back when Chrome 63 debuted with Site Isolation, Google admitted that using it would increase in memory usage by up to 20 per cent.

Users will be able to verify that Site Isolation is turned on - that they're not part of the one per cent left out in the cold as part of Google's efforts to "monitor and improve performance" - in Chrome 68 when that launches later this month by typing chrome://process-internals in the address bar (that doesn't work in Chrome 67 or earlier).

Currently, checking requires more work on the user's part: It's spelled out in this document under the "Verify" subheading. Computerworld used the latter to make sure its instances of Chrome had Site Isolation enabled.

Site Isolation is to be included in Chrome 68 for Android, Reis said. More functionality will also be added to the desktop edition of the browser.

"We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes," he wrote. "Stay tuned for an update about these enforcements."

(By Gregg Keizer, Computerworld)

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Googlechrome



Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments